Changes between Version 26 and Version 27 of T12_Security/ESG/LoginAttributeRequestAndAuthorizationPushAndPullModel


Ignore:
Timestamp:
08/09/08 15:20:53 (11 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • T12_Security/ESG/LoginAttributeRequestAndAuthorizationPushAndPullModel

    v26 v27  
    3030 a. BADC site serving the secured dataset ''datasetA''. 
    3131 a. BADC PDP (Policy Decision Point), a service that makes an access control decision based on the attributes controlling access to a given resource and the user attributes available.  (''Is this a Resource Policy Service in ESG terminology?'') 
    32  a. BADC PEP (Policy Enforcement Point) or gatekeeper (''name for this in ESG terms?'').  This enforces access control decisions for a given resource or resources.  It do so by requesting that a PDP make an access control decision on its behalf.  It then enforces that decision by allowing or denying access.   
     32 a. BADC PEP (Policy Enforcement Point) or gatekeeper (''name for this in ESG terms?'').  This enforces access control decisions for a given resource or resources.  It does so by requesting that a PDP make an access control decision on its behalf.  It then enforces that decision by allowing or denying access.   
    3333 a. BADC Attribute Service responsible for attribute assignment and querying.  This service: 
    3434   * enables a user to register for access to datasetA, agree to terms and be allocated the attribute attributeA which determines access to datasetA; 
     
    3737==== Assumptions ==== 
    3838 * This is a use case for browser based access only 
    39  * The user is not logged in to NCAR site 
     39 * The user is not logged in to the NCAR or BADC sites 
    4040 * Control to ''datasetA'' is governed by an attribute ''attributeA''. 
    4141 * The user is registered with ''attributeA'' at the BADC Attribute Service. 
     
    5454 1. The user's browser is redirected to the NCAR IdP.   
    5555 1. The user logs in. 
    56  1. The NCAR may prompt the user to check that they agree to certain attributes being pushed back to the BADC site. 
    57  1. The NCAR IdP redirects the browser back to the BADC site passing user attributes in addition to the usual OpenID protocol message response content. 
     56 1. The NCAR IdP may prompt the user to check that they agree to certain attributes being pushed back to the BADC site. 
     57 1. If the user agrees to it, the NCAR IdP redirects the browser back to the BADC site passing user attributes in addition to the usual OpenID protocol message response content. 
    5858 1. The BADC site's PEP is invoked to allow or deny access to the resource. 
    5959 1. The PEP passes the NCAR user's attributes to the BADC PDP so that it can make an access control decision. 
     
    6969 
    7070==== Description ==== 
    71 This is extension of the last use case using the same trigger point but in this scenario the user is not registered for access to datasetA:  This use case continues from point 13) in the last use case but with the assumption that access was denied because the user is not registered for access. 
     71This is an extension of the last use case using the same trigger point but in this scenario the user is not registered for access to datasetA.  The use case continues from point 13) of the last use case but with the assumption that access was denied because the user is not registered with BADC Attribute Service for access. 
    7272 
    7373==== Actors ==== 
     
    9898Continuing from point 13) in the last use case: 
    9999 1. The Attribute Service returns a response to the PDP that the NCAR user is '''not''' registered for attributeA. 
    100  1. The BADC site redirects the user's browser to the authorization request form hosted at the BADC. 
     100 1. The BADC site redirects the user's browser to a registration form hosted at the BADC. 
    101101 1. The user completes details, agrees to the terms of a usage policy, submits and awaits a response. 
    102  1. The details from the form are submitted to the BADC Attribute Service. 
     102 1. The details from the form are submitted to the BADC Attribute Service (The Attribute Service could itself host the form) 
    103103 1. The user is approved for access to datasetA.  (This may be an immediate decision or it may require submission to an approval panel). 
    104104 1. When approved, the Attribute Service creates a user profile for this user containing attributeA.